I found a way to detect the spoof or ARP program

kindly do the following:

1-add the rule in the new terminal
2-edit this rule by yourself
3-remove all IPs from address list
4-try to run Net Cut to find if the Microtik detected it or not


first,add this code in the new terminal

/ip firewall filter

add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list

add action=jump chain=forward comment="Check if dest is an open customer" disabled=no dst-address-list=open-customers jump-target=open-customers
add action=jump chain=forward comment="Check Known Bad Hosts" disabled=no jump-target=bad-hosts
add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list

add action=return chain=bad-host-detection comment="Take no action on bogons" disabled=no src-address-list=bogons
add action=add-src-to-address-list address-list=30-seond-list address-list-timeout=30s chain=bad-host-detection comment="Add to the 30 second list" disabled=no

add action=add-src-to-address-list address-list=24-hour-list address-list-timeout="1d 00:00:00" chain=bad-host-detection comment="If seen 20 time in 30 seconds add to the one day block list" disabled=no nth=50 src-address-list=30-seond-list
add action=return chain=bad-host-detection comment="" disabled=no


add action=jump chain=forward comment="jump to the bad-host-detection chain" disabled=no jump-target=bad-host-detection src-address-list=!our-networks

add action=jump chain=forward comment="jump to the bad-host-detection chain" disabled=no jump-target=bad-host-detection src-address-list=!our-networks
add action=log chain=forward comment="log and reject the rest" disabled=no log-prefix=""
add action=reject chain=forward comment="" disabled=no reject-with=icmp-network-unreachable



2-follow the next pic to edit this rule









But change 192.168.0.0/24 to your network IP


3-remove all IPs from the network like this pic





4-try to run Net Cut

After 10 seconds you will see the IP in the "30 seconds list"





After 10 seconds you will see the IP in the "24 list"


As you see the Microtik catch the IP he run net cut

Thank you!!! Very useful.

Do I need to put these firewall rule at the top?
Do they work with v4.13

Very Good indeed...

Now if we could only redirect browser traffic to a page saying:

"We have detected Netcut or Arp tool running in your system. Thus we have blocked your traffic for XXseconds. Please unistall to avoid further inconviencies"

That would be awesome !

Capital

the problem that netCut still show some IPs and mac and the user can change his as those.

We need a code that prevent a mac address with different host in short time (shorter than the keep alive time)

Thank you mohamed, that is very helpful. Also this detector can detect all progams like netcut? For example: wireshark?

thanks

hello mohamed, can you repost the images as they are not visible anymore and I would like to try this... thanks!

hello mohamed, can you repost the images as they are not visible anymore and I would like to try this... thanks!

same thing here, requesting for the image upload, or please send links to my private messages.

Copy of the original posters images: Copy of the original posters images: Copy of the original posters images: Copy of the original posters images.

Copy of the original posters images:

Good thing I had a Backup huh

It is 07.08 AM at my office, and you have brighten my day!

THANK YOU mohamed and NetworkPro, best wishes for you all.

i have already setup my mikrotik server v (5.7)
and i used the fake gateway to perevent the netcut
but there is a strange thing happened :
when i open the netcut on my PC
i found a many numbers of IPs ( unlimited numbers ) is this a type of hacking or what >?!
here is the PIC

I'm running v4.6 and when I add the code via the terminal I get an error with this piece of code:
Error: failure: nth_every and nth_packet must be >= 0

Does anyone know what that means and how to fix it?

to protect your networks from this - set up wireless encryption and for wired network set up encrypted pppoe.

PPPoE requires additional processing and software layer that adds high probability of issues including CPU consumption

use that additional security as required. I really doubt that "smart-guys" are all over the network. And yes, it is only way how to protect the network from them as there is no way around it other but brake the encryption.

port isolation (port protected), DHCP or better static assignment, VRRP, MSTP, per-client VLANs if it will be cheaper

how exactly that will save you from someone who sniffs the traffic and spoofs IP/MAC of your device?

Access switches with security features.

care to post some exapmles - what switches, links to documentation?

else it looks like trolling

Sorry I should have been more clear.

Port Isolation.

A switch that is able to send traffic from the access port only to the trunk port so it never reaches other access ports. Port isolation.

namely VLAN with something similar to default-forwarding in wireless? If so, you can still sniff the traffic and notice the vlan tag, or that is me over-simplifying?

IMHO - security through obscurity is only disaster waiting to happen.

What is your argument exactly ?

switch in the middle, mirror port - problem solved

Physical access is a separate topic.

Cutting, crimping cable and sticking switch in the middle does not take a lot of time. Of course, if there is a network that is less protected (even not obscured) attacker will go with that one.

Adding a bit more powerful router with PPPoE server and using cheaper switches costs the same and offers more security not giving any change to attacker. drop in RADIUS server to manage logins.

why not

when user have to remember its login and password - it's bad

direct access ruleZ!

IP-MAC-Port binding + DHCP Shooping on access switches do the work for us

Hi There!
Is it really working?

ros code

/ip firewall filter
add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list 
add action=jump chain=forward comment="Check if dest is an open customer" disabled=no dst-address-list=open-customers jump-target=open-customers 
add action=jump chain=forward comment="Check Known Bad Hosts" disabled=no jump-target=bad-hosts 
add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list 
add action=return chain=bad-host-detection comment="Take no action on bogons" disabled=no src-address-list=bogons 
add action=add-src-to-address-list address-list=30-seond-list address-list-timeout=30s chain=bad-host-detection comment="Add to the 30 second list" disabled=no 
add action=add-src-to-address-list address-list=24-hour-list address-list-timeout="1d 00:00:00" chain=bad-host-detection comment="If seen 20 time in 30 seconds add to the one day block list" disabled=no nth=50 src-address-list=30-seond-list 
add action=return chain=bad-host-detection comment="" disabled=no 
add action=jump chain=forward comment="jump to the bad-host-detection chain" disabled=no jump-target=bad-host-detection src-address-list=!our-networks 
add action=jump chain=forward comment="jump to the bad-host-detection chain" disabled=no jump-target=bad-host-detection src-address-list=!our-networks 
add action=log chain=forward comment="log and reject the rest" disabled=no log-prefix="" 
add action=reject chain=forward comment="" disabled=no reject-with=icmp-network-unreachable

guys i have executed the rules in the above , and i have got trouble in internet connection it's break down even though I cleared all the ip in address list , I need your help please.